Next month, legislation is expected to pass the Senate with important governance implications for insurance companies. The bill is part of the Australian Prudential Regulation Authority’s (APRA) new prudential standards requiring insurers to have operational risk controls to improve resilience. The rules impact insurers, banks and any entity holding an APRA license.
Yvonne Lam (pictured above), special counsel with Clyde & Co, said the Financial Accountability Regime Bill 2023 (FAR), is one of the last recommendations from the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry. The bill focuses on accountability and transparency.
“Commissioner Hayne [Kenneth Hayne] recommended that the existing banking executive accountability regime be rolled out to the rest of the financial services industry,” said Lam. “It’s taken some time.”
According to her global law firm’s upcoming briefing paper, APRA’s new rules aim to help businesses deal with the growing threat of “large scale disruptions” like cyber incidents and become more resilient. The regulator has defined operational resilience as the ability of entities to continue operation through disruption from man-made shocks, natural hazards and changing market conditions.
After its likely passage through the Senate, Lam said the new bill will be rolled out in the banking sector over six months, and then the insurance industry will follow.
She said there are already existing APRA prudential standards for governance.
“That’s to do with board composition and there are also prudential standards to do with fit and proper persons, so your responsible persons who run APRA regulated entities,” she said. “There’s also a new prudential standard that came into effect on January 1 this year to govern remuneration in these organizations.”
The FAR bill, she said, focuses on enhancing the accountability and transparency of accountable persons within organisations like insurance companies.
“It’s helping APRA and also ASIC [the Australian Securities and Investments Commission], because it will be a jointly administered piece of legislation, to improve the risk and governance culture but also to zero in on who is responsible within these organizations for ensuring that the risk and governance frameworks are being enforced and are driving the right behaviours and outcomes,” said Lam.
The Clyde & Co special counsel said FAR ties together existing APRA prudential requirements in relation to remuneration and governance while adding the accountability element. Lam said insurance firms will need to deal with this accountability requirement in several different ways.
“You’ve got an accountable entity,” she said. “So at the industry level, they will need to identify who, within the organization, fits within the definition of accountable person and once that comes into play, there needs to be an accountability map that’s drawn out.”
The mapping exercise, she said, will also involve specific individuals providing accountability statements.
“It’s a holistic piece and it will require not only board and senior manager engagement, but also HR, your people function within these organizations to bring that all together with what is already in the existing governance framework,” said Lam.
“The tightening of the regime now under this enhanced breach reporting regime is to make sure that anything that is considered to be a reportable situation for a core obligation is more strictly defined,” said Lam.
The tightened controls, she said, included obliging insurers to report any breach investigation that goes over 30 calendar days.
“So you can’t use the excuse that we’re still going through an investigation and gathering the facts to try and buy yourself more time,” she said.
In December, the General Insurance Code Governance Committee (GICGC) reported a “substantial increase” in significant breaches of the General Insurance Code of Practice. The breaches are self-reported by insurance companies.
According to the GICGC’s annual report, 22 insurance companies reported a total of 116 significant breaches, up from 57 in 2020–21. The breaches affected over 1.7 million consumers, said the report, and resulted in remediation payments of more than $52 million.
Earlier this month, the chair of the Insurance Brokers Code of Compliance Committee (IBCCC), Oscar Shub, called on brokers to embrace “a culture of reporting”.
The call followed the release of the IBCCC’s latest annual data report analysing the performance of insurance brokers subscribed to the Insurance Brokers Code of Practice. The report found that over half of the brokers reported zero breaches in 2021.
“While reporting zero breaches of the code may sound impressive, it does not necessarily mean a subscriber is doing well,” Shub said. “So, reporting no breaches does not reflect perfection as much as it reflects poor monitoring and a failure to embrace a culture of reporting.”
Both the Insurance Brokers Code of Practice and the General Insurance Code of Practice are voluntary codes.
What do you think of APRA’s new prudential standards and the FAR legislation? Please tell us below.